CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019...
Transcript of CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019...
![Page 1: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/1.jpg)
CS 188Scalable Internet Services
Andrew MutzNovember 14, 2019
![Page 2: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/2.jpg)
Announcements
November 14, 2019 Security in Scalable Internet Systems
November 19, 2019 HTTP/2 and QUIC
November 21, 2019 Intelligent Systems
November 26, 2019 Microservices, Containers, Kubernetes
November 24, 2019 Thanksgiving day, No class
December 3, 2019 CDNs and Course conclusion
December 5, 2019 All papers due. Final Presentations
December 6, 2019 Final Presentations
![Page 3: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/3.jpg)
Announcements
We have about 3 weeks until the end of the course. At this point, everyone should have working applications and working load testing scripts.
Over the next 3 weeks, everyone should be focusing on the remaining items:
Scaling and load testing their applications.
The final course presentations, which will occur on Dec 5 and Dec 6.
The final course writeup, due December 5 at 12pm noon.
![Page 4: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/4.jpg)
Announcements
December 5 and 6: final presentation will be in last week of lectures (not finals week). Roughly 15 mins per team and all members need to be present.
● Project Overview○ Demo of your working application○ Application architecture
● Experiments and Results○ Critical user paths used for load testing○ Optimizations you performed: before & after measurements○ Any future optimizations that you haven't had time to implement.
● Conclusions and lessons learned○ Team organization, pair programming, Test Driven Development○ Building a scalable web service○ Any other of interest
![Page 5: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/5.jpg)
Final course write-up Due Dec 5 at noon.
The final course write-up is where you record the various scaling improvements and optimizations that you have made and the performance improvements that have resulted. This write-up should include:
● A brief description of your project● A brief description of the user paths used to evaluate performance● For each of your performance & scalability improvements
○ A description of what was changed and improved○ A description of why this improves your application○ A quantitative demonstration of the effects: graphs & numbers
Sample papers from previous years:● http://www.scalableinternetservices.com/sample_projects/foodies.pdf● http://www.scalableinternetservices.com/sample_projects/noitcua.pdf
Announcements
![Page 6: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/6.jpg)
Evaluation: your grade in the course will be determined in these rough categories
● 30%: web service complexity● 50%: load testing and scaling (communicated through
presentation and write-up)● 10%: quality of project presentation● 10%: quality project write-up
All grades are subject to team mate grading!
Announcements
![Page 7: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/7.jpg)
Likely areas of load testing and scaling:
● Vertical scaling● Horizontal scaling● Performance optimization related to number of processes/threads● Performance optimization of database interaction● Performance optimization using client-side caching● Performance optimization using server-side caching (disk, memory,
memcache)
Possible (more difficult) areas of load testing and scaling:
● Scaling via database sharding● Scaling via SOA● Scaling using read-slaves
Announcements
![Page 8: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/8.jpg)
Motivation
Internet services increasingly mediate more and more interactions in modern society● I want to buy dinner.● I want to save important documents.● I want to manage my investments.
Every day, billions of people use the same suite of technologies to solve these problems.
How do we keep these interactions secure?
![Page 9: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/9.jpg)
Motivation
What sort of bad actors can we see in the system?
![Page 10: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/10.jpg)
Motivation
What sort of bad actors can we see in the system?
Bad clients?
![Page 11: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/11.jpg)
Motivation
What sort of bad actors can we see in the system?
Bad servers?
![Page 12: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/12.jpg)
Motivation
What sort of bad actors can we see in the system?
Bad middle-men who can snoop?
![Page 13: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/13.jpg)
Motivation
What sort of bad actors can we see in the system?
Bad middle-men who can modify traffic?
![Page 14: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/14.jpg)
Motivation
What sort of bad actors can we see in the system?
All of the above.
![Page 15: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/15.jpg)
Goals
What do we want?
● Privacy○ My private data can not be read by third parties.
● Authentication○ The client knows it’s talking to the right server, and the server knows it’s
talking to the right client.
● Integrity○ Data (at rest or in flight) can’t be tampered with.
![Page 16: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/16.jpg)
Today’s Agenda
Web Security Basics
● HTTPS● Firewalls● SQL Injection● Cross-Site Scripting● Cross-Site Request Forgery
![Page 17: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/17.jpg)
HTTPS
HTTPS is designed to protect us against malicious intermediaries and malicious servers.
![Page 18: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/18.jpg)
HTTPS
Building our application on TCP gives us an initial start at security on the internet. How does TCP protect us against one of the above bad actors?
![Page 19: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/19.jpg)
HTTPS
TCP sequence numbers mean that an observer of our HTTP traffic can read everything, but can’t really tamper with our session.
An intermediary, on the other hand, has complete control.
![Page 20: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/20.jpg)
HTTPS
Also, because we tend to use cookies for session management, an observer can issue additional requests on our behalf
Conclusion: TCP alone doesn’t protect much.
![Page 21: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/21.jpg)
HTTPS - Goals
What do we want from a secure sockets layer?
● Privacy○ My communications should be hidden from the observers of my traffic
● Integrity○ My communications should not be tampered with by intermediaries
● Authentication○ I can be sure I am speaking to the intended server, and not a
malicious third-party.
![Page 22: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/22.jpg)
HTTPS
One slide introduction to cryptography:
● Symmetric Cryptographic Algorithm○ A function that can encode and decode data using a key, k:○ encode(p, k) = c, decode(c, k) = p○ Common implementations: AES, DES, Threefish
● Asymmetric Cryptography○ A pair of keys, one public (k1) and one private (k2).○ encode (p, k1) = c, decode(c, k2) = p○ encode (p, k2) = c, decode(c, k1) = p○ By keeping k2 private, encoding with k2 is called “signing”.○ Common implementations: RSA, DSA, Diffie-Hellman*
![Page 23: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/23.jpg)
HTTPS
How far can symmetric cryptography alone get us?
![Page 24: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/24.jpg)
HTTPS
How far can symmetric crypto alone get us?
● If we have a shared key: Privacy, Integrity & Authentication● But how do we get a shared key?
![Page 25: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/25.jpg)
HTTPS
We want the web to work with combinations of arbitrary clients and servers, so there are no a priori shared secrets.
How do we establish a shared symmetric key without intermediates knowing it?
![Page 26: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/26.jpg)
HTTPS
Let’s use asymmetric cryptography to establish a shared session key.
![Page 27: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/27.jpg)
HTTPS
This works against the observer, but not the intermediary. Why?
![Page 28: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/28.jpg)
HTTPS
Man in the middle attack:
● Intermediary creates his own keypair.● Presents his public key to the server as the client’s key● Presents his public key to the client as the server’s key● Establishes one shared key with the client and another
with the server.● Can shuttle requests and responses back and forth,
inspecting and modifying with complete control.
![Page 29: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/29.jpg)
HTTPS
How can we prevent this?
![Page 30: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/30.jpg)
HTTPS
How can we prevent this?
● If the browser knew everyone’s public key a priori, the man in the middle attack wouldn’t work.○ But there are too many servers, and new ones go up all the time.
● Hint: keys can sign other keys...
![Page 31: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/31.jpg)
HTTPS - Certificates
Insight: we can use private key signatures to transitively authenticate someone. Example:
● Alice trusts Bob and has his public key● Bob knows Charlie and has his public key● Charlie wants to talk to Alice and presents his public key● Alice doesn’t know if this is really Charlie, or someone else who has
handed over their own private key.● In order to solve this, Charlie has Bob write down “Charlie’s
public key is [...]” and sign it with his private key.● Because Alice trusts Bob, she knows Charlie is legitimate
when he provides the Bob-signed document.● This document is known as a certificate.
![Page 32: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/32.jpg)
HTTPS - Certificates
Solution: Browser maintains a small list of trusted Certificate Authorities (CAs)● Any website can present a certificate issued by a CA and the browser can
trust that the party is legitimate● Certificates can be chained.
○ “Root” CA vs. “intermediate” CA
![Page 33: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/33.jpg)
HTTPS
Summary:
● Certificates are used to verify the identity of the server ● Asymmetric cryptography is used to establish a shared
key.● Once a shared key has been established, symmetric
cryptography is used for the session.
TLS allows combinations of different cipher suites to be used.
![Page 34: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/34.jpg)
HTTPS - SSL HandshakeAfter TCP setup:
1. Client initiates SSL handshake with a list of CipherSuites and a random number
2. Server responds with its cert, selected CipherSuite and a random number
3. Client creates session key based on exchanged randomness, encrypts with server’s public key
4. Both sides switch to using symmetric key.
“High Performance Browser Networking”, Page 51
![Page 35: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/35.jpg)
HTTPS - SSL Handshake
Latency involved in two extra round trips is expensive.
For repeated access by a client we can speed this up...
![Page 36: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/36.jpg)
HTTPS - Abbreviated SSL HandshakeAfter TCP setup:
1. Session ID is added to connections with new hosts
2. Client initiates SSL handshake with previously-used Session ID
3. Server acknowledges previously used Session ID
4. Each side computes session key based on the remembered random numbers.
5. Both sides switch to using symmetric key.
“High Performance Browser Networking”, Page 57
![Page 37: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/37.jpg)
HTTPS - Goals
Have we achieved our goals?● Privacy
○ Because no other party can know the three random numbers with which we generated the session key, our data can not be read by intermediaries
● Integrity○ Each TLS frame includes a Message Authentication Code
(MAC) that prevents tampering.● Authentication
○ Because the public key used by the server has an associated certificate, and because I trust the CA, I know this is the intended party
![Page 38: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/38.jpg)
HTTPS - Certificates
Certificates can be revoked.● Why might we need to revoke a certificate?
○ Private key compromised○ Intermediate CA was compromised
● Two main mechanisms for certificate revocation○ Certificate Revocation List
■ Periodically get a list of all revoked certificates. If a connection is attempted with a revoked certificate, do not allow it.
○ Online Certificate Status Protocol (OCSP)■ At request time, query the CA to check if revoked.
○ Advantages of each?
![Page 39: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/39.jpg)
HTTPS
Where should SSL terminate?
or
![Page 40: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/40.jpg)
HTTPS Termination
Advantages of terminating SSL at the load balancer● If each app server maintained its own session cache, it would frequently
miss.● Load balancer can be built with hardware acceleration for TLS handshake.● Load balancer can see inside each request, potentially improving its
balancing decisions.● Private key just sits in one place
Advantages of terminating SSL at the App Server● Data between load balancer and app servers stays private
![Page 41: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/41.jpg)
HTTPS Strict Transport Security
HTTPS gives us very good security for the web, but users aren’t always aware of it.
● Lock icon can be subtle
Strict Transport Security gives us the option of telling a browser “for all future communications, use HTTPS”.
● Response sent HTTP Header● Strict-Transport-Security: max-age=31536000
![Page 42: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/42.jpg)
Three common attacks
Next, we will look at three common security vulnerabilities on the web, and how to mitigate them:
● SQL injection○ Getting a database to execute bad SQL
● Cross-site scripting○ Getting a browser to execute bad javascript
● Cross-site Request Forgery○ Getting a browser to submit bad data
![Page 43: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/43.jpg)
SQL Injection
![Page 44: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/44.jpg)
SQL Injection
A SQL injection attack is when a malicious user submits a carefully crafted HTTP request that causes your app server to interact with the database in a manner you did not intend.
![Page 45: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/45.jpg)
SQL InjectionHow could we manipulate this code?
def create
user_id = params[‘user_id’]
comment_text = params[‘comment_text’]
sql = <<-SQL
INSERT INTO comments
user_id=#{user_id},
comment=#{comment_text}
SQL
ActiveRecord::Base.connection.execute(sql)
end
![Page 46: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/46.jpg)
SQL Injection
What if a user submitted the following parameters?
user_id=5
comment_text=’; UPDATE users SET admin=1 where user_id=5 and ‘1’=’1
def create
user_id = params[‘user_id’]
comment_text = params[‘comment_text’]
sql = <<-SQL
INSERT INTO comments
user_id=#{user_id},
comment=’#{comment_text}’
SQL
AR::Base.connection.execute(sql)
end
![Page 47: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/47.jpg)
SQL Injection
INSERT INTO comments
user_id=#{user_id},
comment=’’; UPDATE users SET admin=1 where user_id=5 and ‘1’=’1’
sql = <<-SQL
INSERT INTO comments
user_id=#{user_id},
comment=’#{comment_text}’
SQL
![Page 48: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/48.jpg)
SQL Injection
How do we mitigate this?
● Never insert user input directly into a SQL statement without sanitizing it first.
● Rails does a lot of the work here for you:○ Access through the AR ORM is safe○ If you need to sanitize custom sql, you can use the sanitize method:
SELECT *
FROM comments
WHERE id=#{Comment.sanitize(params[:id]))}
![Page 50: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/50.jpg)
Cross-site scripting
![Page 51: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/51.jpg)
Cross-site Scripting
Javascript is powerful:● If I can get another user to execute arbitrary javascript in the context of
another page, it can issue arbitrary HTTP requests to the server.● Ajax requests are limited to the domain that the JS originated from, but
requests back to that domain will include all relevant cookies.● For example, if I can execute arbitrary JavaScript in the browser that is
running http://wellsfargo.com, all Ajax requests will occur with the user’s current cookies (and session)
![Page 52: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/52.jpg)
Cross-site Scripting
Basics of a Cross-site Scripting (XSS) attack:
● One user submits data that will be displayed to other users of the web application.○ User comments are a common example
● When another user visits the page, the server includes this data as part of the body of the webpage.
● When the victim’s browser encounters this data, it executes it in the same way it executes all javascript that came from the server
![Page 53: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/53.jpg)
Cross-site Scripting
Example:
![Page 54: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/54.jpg)
Cross-site Scripting
Because the application developer is just redisplaying the data submitted by one user into the DOM of another user, one user can do anything that the other, logged-in user can do.● In an email website, it could send emails on your behalf, or read your mail● On a bank website, it could potentially transfer money to an attacker
How might we prevent this?
![Page 55: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/55.jpg)
Cross-site Scripting
Sanitize the data that you are displaying to the user.
Rails does this for you. Example:If I enter form data as:<script>alert(“oops”);</script>Rails will save it to the database as exactly that.
But when I go to display it to the user:<%= submission.title %>
Rails takes the title (exactly as above) and automatically converts it to<script>alert("oops.");</script>
![Page 56: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/56.jpg)
SQL Injection & XSS prevention
How do we make sure we aren’t making injection errors?
● Fuzzing: provide semi-random input to the application and watch for errors
● Tarantula: An automated tester that crawls your application and fuzzes for injection errors:○ https://github.com/relevance/tarantula
![Page 57: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/57.jpg)
Cross-site Request Forgery
![Page 58: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/58.jpg)
Cross-site Request Forgery
Ingredients for this attack:
● One maliciously-controlled server● One benign web server● One well-meaning client who happens to visit the
maliciously-controlled server.
![Page 59: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/59.jpg)
Cross-site Request Forgery
Ajax requests can’t cross domains, but some requests can:
● I can set up a form on domain1.com to POST to domain2.com.
● Alternately, I can use an img tag on domain1.com to GET a resource on domain2.com that has side-effects
● I can’t do it with Ajax, so I can’t see the result, but it can still do damage.
● Like with XSS, All session cookies, etc. will betransmitted to the server
![Page 60: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/60.jpg)
Cross-site Request Forgery
https://evil.com
Sign up for a fun service!
Email:
Submit Actually submits to
https://wellsfargo.com/txn/new
Your bank transfer is complete!
![Page 61: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/61.jpg)
Cross-site Request Forgery
https://evil.com
Check this image out:
<img src="http://bank.example.com/withdraw?account=Alice&amount=1000000&for=Mallory">
When viewed, the image tag attempts to load, performing HTTP GET with session cookies
![Page 62: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/62.jpg)
Cross-site Request Forgery
How do we mitigate this?
● First, make proper use of HTTP semantics. GETs shouldn’t have side effects.
● For form POSTing, a common technique is to add a random token as a hidden field in each form rendered.○ If the form is submitted without the token, the
request is denied.
![Page 63: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/63.jpg)
Cross-site Request Forgery
How does this look in Rails?class ApplicationController < ActionController::Base
# Prevent CSRF attacks by raising an exception.
protect_from_forgery with: :exception
end
This causes a hidden form field to silently be added to all forms:<input name="authenticity_token" type="hidden" value="SLNTcHBDnzl21gPHVoF3DAUEGZLAxWYqZ1FQxBBlmek=">
![Page 64: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/64.jpg)
Cross-site Request Forgery
Note: these authenticity tokens make load testing with Tsung difficult.
There is a great writeup on how to manage CSRF tokens in Tsung on Piazza
If you can't get that to work, it is acceptable to disable CSRF protection while load testing in this class.
![Page 65: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/65.jpg)
Firewalls
Used to secure devices from outside access● Enforces access control policy between two networks● Two designs: restrict “bad traffic” or permit “good traffic”● Designed to operate at different layers of the network stack
Can be standalone hardware devices or software● Often included in multi-purpose device e.g. switch or load
balancer
![Page 66: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/66.jpg)
When to use a Firewall
● Use firewalls only when they significantly reduce risk● Employ firewalls to protect sensitive data
○ Critical PII, PCI compliance, etc.
● Firewalls should be treated like perimeter security○ Like the locks on your house
● Consider the value of what you are protecting and the cost to firewall it○ Like your house, there are some things that are not worth
protecting■ Can you think of examples?
![Page 67: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/67.jpg)
When to use a Firewall
Firewalls are often overused
“Failed firewalls are the #2 driver of site downtime after failed databases”
● Scalability Rules, by Martin Abbott
Can create difficult to scale chokepoint for either network traffic or transaction volume
May have impact on availability
● DDoS attacks on session state memory
![Page 68: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/68.jpg)
Common Firewalls
● Software○ Included with operating systems (ipfw)○ Can also buy standalone
● Hardware○ Cisco ASA, Citrix AppFirewall, F5 AFM
● EC2 Security Groups○ Allow specific protocols and ports to access server○ Can restrict machines to only accept traffic from Elastic
Load Balancer
● A typical large scale web service will use both hardware and software firewalls
![Page 69: CS 188 · November 19, 2019 HTTP/2 and QUIC November 21, 2019 Intelligent Systems November 26, 2019 Microservices, Containers, Kubernetes November 24, 2019 Thanksgiving day, No class](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ed68a6fff0e593c0b6409b0/html5/thumbnails/69.jpg)
For Next Time...
We have about 3 weeks until the end of the course. At this point, everyone should have working applications and working load testing scripts.
Over the next 3 weeks, everyone should be focusing on the remaining items:
Scaling and load testing their applications.
The final course presentations, which will occur on Dec 5 and Dec 6.
The final course writeup, due December 5 at 12pm noon.